So, I give the get command. Passive mode times out because the firewall at the far end never opened port 56257 for me. Active mode fails because I'm behind a NAT wall.(*) Everything here is understood, right?

So, how can entering ftp://ftp.example.com/outgoing/testfile.txt in Firefox succeed from the same host across the same network connections?!

I suppose my serious technical question could be "Can I/How do I see what Firefox is doing under the covers to make this connection work?" Is Firefox bright enough to substitute the NAT IP address in its EPRT/PORT command?

Any ideas?

(*) Why does the NAT wall block Active connections? Because I told the ftp server to make its active connection to 192.168.10.61. It can't do that; any route it might have to that IP address won't get to me. The FTP server needs to make its connection to 169.254.101.20. If the NAT box at my end is super smart, it might reach into my EPRT packet and change that IP address to 169.254.101.20. (Which raises all sorts of uncomfortable questions about firewalls modifying packet payloads. Yah, that'll never be subject to cracking...)